1/17 



28 



BROWSER 



20 



GATEWAY 
SERVER 




Z. 



13 



SERVER 



AGENT 



14 



18 



FIREWALL 



26 



BROWSER 



I 



-24 



Ul SERVER 



10 



NETWORK 
SERVER 



16 



AGENT 



22 



DATABASE 



▼ S 

SERVER 



15 



FIG. 1 



■ 



LVIZ 




> 
o 

m 



— I c/) rn 

CO" 




F1 


4/17 






FILE1.exe 


ORGANIZATIONAL 


PASSIVE 


FILE2.txt 


INFORMATION 


ELEMENTS 


FILE3.dat 






FILEX.xxx 




ACTIVE 
ELEMENTS 


COMMAND: CHECK SIZE AND 
CHECKSUM OF 
FILE1.exe 

MATCH: SUB1 OR SUB2 



FIG. 4 



SUB 1 

MATCH F1 ACTIVE ELEMENTS 
SIZE OF FILE1.exe =XXX 
CHECKSUM OF FILE 1 .exe=YYY 



FIG. 5A 



SUB 2 

MATCH F1 ACTIVE ELEMENTS 
SIZE OF FILE1.exe =ZZZ 
CHECKSUM OF FILE 1 .exe=BBB 



FIG. 5B 



5/17 



MACHINE 1 



TOMCAT 1^160 
WEBAPPS 

\ 

EMPLOYEE PROFILES 



180 



MACHINE 2 

162 




FIG. 6 



6/17 



CONNECTION.LISTENER.EXISTS 
CONNECTION.EXISTS 






r 




CONNECTION RULE y 






ACTION 



700 




706 



^DISMISS ^ 



GENERATE RESOURCE. 
ADD MESSAGE 



GENERATE 


RESOURCE. 


^710 


MODIFY MESSAGE 






■ ^ ^712 





FIG. 7A 



7/17 



CONNECTION. LISTENER. DELETED 
CONNECTION. DELETED , 






r 




CONNECTION RULE |^ 722 






ACTION 



-720 



724 

DELETE * 
OF PREVIOUS 
CONNECTION OR 
LISTENER 

9 



NO 



YES 



GENERATE RESOURCE. J 
MODIFY MESSAGE 




■ . ^728 



^DISMISS^- 



FIG. 7B 



4 



8/17 



PROCESS.EXISTS 
PROCESS.DETAIL 




FIG. 7C 




11/6 



11/17 



AGENT 12 



OBSERVER SERVICE 




V 




50 




70 




/ 


ANALYSIS SERVICE 



NETWORK 
SERVER 10 



FILTERING 



FILTERING 




FILTERING 



FIG. 8 



12/17 



CREATE FINGERPRINTS 
FOR DISCOVERY 



200 



COLLECT EVENTS USING 
OBSERVERS 



202 



USE FINGERPRINTS AND 
SUBFINGERPRINTS TO 
DISCOVER COMPONENTS 



204 



DISCOVER DEPENDENCIES 
BETWEEN COMPONENTS 



206 



TRACK CHANGES TO 
DISCOVERED COMPONENTS 



208 



GENERATE A VISUAL 
MAP OF THE SYSTEM 



210 



FIG. 9 



+ • # 



4\ T7 



7)© 
^ 

=3 CO* 
O ZT 

ro 
o 
o 



» r- O CO CO > s 

T5 g C CD O -O S 

ST. O CD O 

2 3 55 § a 



§ i 55 a 5- 

CO 3 
CO 



o 

CD 

co 
o 

cr 

CD 



< o 

II 

CO 

ro 
o 
o 
o 



o 
o 

CO 

o 
^* 

CO 
O 
i 

CO 
CD 

CD 
O 



i ST 

\ CD 
> Q. 

Ol -> 

°i- 

o" 

CD 

2 § 

i ^ 



Ol W Ol < 

o ^ o ^ ro cd M 
o ro co cn 

§ 



Q) 

CO 
CD 



2 




0) 








ro 


ro 


-si 




ro 


ro 


o 


o 


o 


o 






4^ 




CO 


CO 


ro 


ro 











o 
o 

0) 



0) 
3 
CD 



CD 0> 0) 3 
CT 3 3 CO^^j) 

^ ^ en 



CO 



O ST 



- ro - 
ro o ro 
o o o 
o o 



CD <J> 



O O O CO 

CO 
CD 

O 

CD 
< 

o" 

CD 
CO 



8^ 

O O TJ 
73 92. « 
O X 

a 

CO 



a 

CO 

N 
CD 



\ 

N) 



oo 



5 

CD 
CD 

CO 

co^ 
ro DO 



"0 

CD 

O 
CD 



CD 
CD 



O 
O 
CD 
CO 
CO 
O 
—i 

O 
o 

c 

73 



3 
8 

CO 
CO 

o 



13 

-a 

CD 
ZD 

C 

3 



o 

Q_ 

CD 



CO o c 

< 3 3 
f 1 3 

0 -■ =5 

3 

CD 

1 ^ 

CO 

ro <° 

o r° 

o 

o o> 
d o 

CO \ 

cn ro 
O 



CO 

CD 

CD 
-i 

CXI 

E 

73 



O 

s 

=r 
o 
w 

s? 

8 
I 

<iL 

8 
5 



0° VS. 



a. 



'3 

CD 



1 



l-n 

g 



i 

8' 

CD 



'5 1 



10 



? rxrtm 



73 

f<9 



I 



+ 



14/17 



FILE.EXISTS 
REGISTRY.SETTING. EXISTS 
SCHEMA.EXISTS 



-300 



302 



i (L 

PAKAGE_DETECT 
RULE 



315 



ACTION | 



I r 

TRACK_CHANGE 
RULE 



324 



i r 

TRACKJNSTALL 
RULE 



ADD TO 
ACCUMULATOR 



ACTION 

326 



NO 



NO 




NO. 



EXECUTE ACTIVE 
ELEMENT ACTIONS 




^314 



^DISMISS ^ 



DETERMINE 
INITIATING PID 



GENERATE COPY 
COMMAND 



I 



320 



FORWARD 
COMMAND 

4 COPY 
CONTENTS 



-►(DISMISS u 



SELECT TARGET 
TRACK DETAILS LIST 



ADD MESSAGE TO 
SELECTED 
DETAILS LIST 



✓ 1 V" 334 

( DISMISS U 



FIG. 11 



15/17 



FILE. DELETED 
REGISTRY.SETTING. DELETED 
SCHEMA. DELETED 



400 



NO 




426 



+ r 

TRACKJNSTALL 
RULE 



ACTION 
428 




NO 



DETERMINE 
INITIATING PID 



NO 



GENERATE PACKAGE 
UN INSTALLED MESSAGE 




^416 



j ^ 4: 

*^DISMISS^- 



^DISMISS J 



SELECT 
TRACK DE 


/"•^ 
TARGET 
TAILS LIST 




^434 


ADD MESSAGE TO 
SELECTED 
DETAILS LIST 



/ 1 v-436 

( DISMISS V« 



FIG. 12 




FILE.MODIFIED 
REGISTRY.SETTING. MODIFIED 
SCHEMA.MODIFIED 



450 



16/17 



1 <Z 

PACKAGE_ 
DETECT RULE 



452 



466 



ACTION 



t C 

TRACK_CHANGE 
RULE 



478 



i r 

TRACKJNSTALL 
RULE 



UPDATE 
ACCUMULATOR 



ACTION 
480 



NO 



NO. 



DETERMINE 
INITIATING PID 




NO. 



EXECUTE ACTIVE 
ELEMENTS ACTIONS 




r ^-464 



Q DISMISS^ 



GENERATE COPY 
COMMAND & 
FORWARD TO 
OBSERVER 



COPY CONTENTS 
IN OBSERVER & 
SEND TO 
ANALYSIS SERVICE 
I 



DETERMINE 
DIFFERENCES 
BETWEEN 
CURRENT 
CONTENTS & 
PREVIOUS 
CONTENTS 



SEND 
DIFFERENCES 
TO NETWORK 
SERVER 



( DISMISS U 



SELECT TARGET 
TRACK DETAILS LIST 



ADD MESSAGE TO 
SELECTED 
DETAILS LIST 



-474/- 1 ^488 

( DISMISS U 



475 



476 



FIG. 13 



17/17 



APPLICATION 
DETECTED MESSAGE 



502 



COMPONENT 
DETECT RULE 



500 



508 



TRACK CHANGE 
RULE 



504 



FORWARD 
MESSAGE TO 
NETWORK SERVER 



510 



RETRIEVE TRACK 
CHANGES LIST 
AND FILTERS 



▼ r 

^DISMISS^ 




GENERATE COPY 
COMMAND TO GET 

INITIAL VERSION 
OF ITEMS TO TRACK 



I 



516 



SEND MESSAGE TO 

OBSERVER TO 
START TRACKING 
CHANGES WITH 
LISTS 



-►(^DISMISS^ 



FIG. 14 



r 



520 



TRACK INSTALL 
RULE 




NO 



RETREIVE LIST 
OF TRACKED 
INSTALLS 



I 



525 



SELECT INSTALL 
DETAILS BASED 
UPON PID 



HAVI 
CANDIDATE 
J-RACK INSTAL 
>ETAILS2 



526 



NO 



528 



GENERATE 
APPLICATION 
INSTALL DETAILS 
NOTIFICATION 



I 



530 



FORWARD 

INSTALL 
DETAILS TO 
SERVER 



I r 532 
Q DISMISS^* 



